5 Replies Latest reply on Apr 15, 2009 3:18 AM by armsargis

    Problem with user authorization using JBM Bridge configuatio

    armsargis Apr 8, 2009 11:15 AM

      Hi all I am trying to configure JBM Bridge here is my test configuration:

      jms-ds.xml:

       <mbean code="org.jboss.jms.jndi.JMSProviderLoader"
 name="jboss.messaging:service=JMSProviderLoader,name=JMSProvider">
 <attribute name="ProviderName">DefaultJMSProvider</attribute>
 <attribute name="ProviderAdapterClass">org.jboss.jms.jndi.JNDIProviderAdapter</attribute>
 <attribute name="FactoryRef">java:/XAConnectionFactory</attribute>
 <attribute name="QueueFactoryRef">java:/XAConnectionFactory</attribute>
 <attribute name="TopicFactoryRef">java:/XAConnectionFactory</attribute>
 </mbean>

 <mbean code="org.jboss.jms.jndi.JMSProviderLoader"
 name="jboss.messaging:service=JMSProviderLoader,name=SOClassRemoteJMSProvider">
 <attribute name="ProviderName">SOClassRemoteJMSProvider</attribute>
 <attribute name="ProviderAdapterClass">org.jboss.jms.jndi.JNDIProviderAdapter</attribute>
 <!-- The combined connection factory -->
 <attribute name="FactoryRef">java:/XAConnectionFactory</attribute>
 <!-- The queue connection factory -->
 <attribute name="QueueFactoryRef">java:/XAConnectionFactory</attribute>
 <!-- The topic factory -->
 <attribute name="TopicFactoryRef">java:/XAConnectionFactory</attribute>
 <attribute name="Properties">
 java.naming.factory.initial=org.jnp.interfaces.NamingContextFactory
 java.naming.factory.url.pkgs=org.jboss.naming:org.jnp.interfaces
 java.naming.provider.url=192.168.100.78:1099
 </attribute>
 </mbean>


      *-bridge-service 

      <?xml version="1.0" encoding="UTF-8"?>
<server>

 <mbean code="org.jboss.jms.server.bridge.BridgeService"
 name="jboss.jms:service=Bridge,name=SOClassBridge" xmbean-dd="xmdesc/Bridge-xmbean.xml">
 <depends optional-attribute-name="SourceProviderLoader">jboss.messaging:service=JMSProviderLoader,name=JMSProvider</depends>
 <depends optional-attribute-name="TargetProviderLoader">jboss.messaging:service=JMSProviderLoader,name=SOClassRemoteJMSProvider</depends>
 <depends>jboss.messaging.destination:service=Queue,name=SOClassCallbacks</depends>
 <attribute name="SourceDestinationLookup">/queue/SOClassCallbacks</attribute>
 <attribute name="TargetDestinationLookup">/queue/EllipseRequests</attribute>
 <attribute name="SourceUsername">ellipse</attribute>
 <attribute name="SourcePassword">ellipse123</attribute>
 <attribute name="TargetUsername">soclass</attribute>
 <attribute name="TargetPassword">soclass123</attribute>
 <!-- Optional: The Quality Of Service mode to use, one of:
 QOS_AT_MOST_ONCE = 0;
 QOS_DUPLICATES_OK = 1;
 QOS_ONCE_AND_ONLY_ONCE = 2;-->
 <attribute name="QualityOfServiceMode">0</attribute>
 <!--
 <attribute name="Selector">specify-jms-selector-here</attribute>
 -->
 <attribute name="MaxBatchSize">5</attribute>
 <attribute name="MaxBatchTime">-1</attribute>
 <!--
 <attribute name="SubName">mysub</attribute>
 -->
 <!--
 <attribute name="ClientID">myClientID</attribute>
 -->
 <attribute name="FailureRetryInterval">5000</attribute>
 <attribute name="MaxRetries">-1</attribute>
 <attribute name="AddMessageIDInHeader">false</attribute>
 </mbean>

</server>


      according my configs I want automatically forward messages from JMSProvider:/queue/SOClassCallbacks to SOClassRemoteJMSProvider:/queue/EllipseRequests.

      But I have problem with authorization, here is outputs with trace log level from JMSProvider: 

      16:50:38,446 TRACE [SecurityAspect] checking access permissions to JBossQueue[EllipseRequests]
16:50:38,446 DEBUG [JBossASSecurityMetadataStore] No SecurityMetadadata was available for EllipseRequests, using default security config
16:50:38,446 TRACE [SecurityMetadata] Adding role: Role {name=guest;read=true;write=true;create=true}
16:50:38,446 TRACE [JBossASSecurityMetadataStore] authenticating user soclass
16:50:38,447 TRACE [JBossASSecurityMetadataStore] authorizing user soclass for role(s) [guest]
16:50:38,447 TRACE [JBossASSecurityMetadataStore] user soclass is NOT authorized
16:50:38,447 WARN [Bridge] jboss.jms:name=SOClassBridge,service=Bridge Failed to send + acknowledge batch, closing JMS objects
javax.jms.JMSSecurityException: User: soclass is not authorized to write to destination EllipseRequests
 at org.jboss.jms.server.container.SecurityAspect.check(SecurityAspect.java:312)
 at org.jboss.jms.server.container.SecurityAspect.handleSendTransaction(SecurityAspect.java:190)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:597)
 at org.jboss.aop.advice.PerInstanceAdvice.invoke(PerInstanceAdvice.java:122)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
 at org.jboss.jms.server.container.ServerLogInterceptor.invoke(ServerLogInterceptor.java:105)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
 at org.jboss.jms.server.endpoint.advised.ConnectionAdvised.sendTransaction(ConnectionAdvised.java)
 at org.jboss.jms.wireformat.ConnectionSendTransactionRequest.serverInvoke(ConnectionSendTransactionRequest.java:82)
 at org.jboss.jms.server.remoting.JMSServerInvocationHandler.invoke(JMSServerInvocationHandler.java:143)
 at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:908)
 at org.jboss.remoting.transport.local.LocalClientInvoker.invoke(LocalClientInvoker.java:106)
 at org.jboss.remoting.Client.invoke(Client.java:1708)
 at org.jboss.remoting.Client.invoke(Client.java:612)
 at org.jboss.remoting.Client.invoke(Client.java:600)
 at org.jboss.jms.client.delegate.DelegateSupport.doInvoke(DelegateSupport.java:189)
 at org.jboss.jms.client.delegate.DelegateSupport.doInvoke(DelegateSupport.java:160)
 at org.jboss.jms.client.delegate.ClientConnectionDelegate.org$jboss$jms$client$delegate$ClientConnectionDelegate$sendTransaction$aop(ClientConnectionDelegate.java:221)


      as I noticed JBM trying to authorize remote soclass user using local Security configs. Can you provide any info why its like this? Please note my remote configs is ok I tested it with JMS client application and I am able to read and write ti this queue

      • 2315 Views
      • Tags:
        • 1. Re: Problem with user authorization using JBM Bridge configu
          armsargis Apr 8, 2009 11:34 AM (in response to armsargis)

          One note also if I create EllipseRequests queue locally using following config:

           <mbean code="org.jboss.jms.server.destination.QueueService"
 name="jboss.messaging.destination:service=Queue,name=EllipseRequests"
 xmbean-dd="xmdesc/Queue-xmbean.xml">
 <depends optional-attribute-name="ServerPeer">jboss.messaging:service=ServerPeer</depends>
 <depends>jboss.messaging:service=PostOffice</depends>
 <attribute name="SecurityConfig">
 <security>
 <role name="seamusers" read="true" write="true" create="true"/>
 </security>
 </attribute>
 </mbean>

 <mbean code="org.jboss.jms.server.destination.QueueService"
 name="jboss.messaging.destination:service=Queue,name=EllipseCallbacks"
 xmbean-dd="xmdesc/Queue-xmbean.xml">
 <depends optional-attribute-name="ServerPeer">jboss.messaging:service=ServerPeer</depends>
 <depends>jboss.messaging:service=PostOffice</depends>
 <attribute name="SecurityConfig">
 <security>
 <role name="seamusers" read="true" write="true" create="true"/>
 </security>
 </attribute>
 </mbean>


          I have not authorization problem but it forward messages to locally created queue, not to remote one.

            • Actions
          • 2. Re: Problem with user authorization using JBM Bridge configu
            gaohoward
            gaohoward Apr 8, 2009 10:19 PM (in response to armsargis)

            Hi which versions of JBOSS AS and JBM are you using? and how did you configure your security within jboss?

              • Actions
            • 3. Re: Problem with user authorization using JBM Bridge configu
              armsargis Apr 9, 2009 5:28 AM (in response to armsargis)

              Sorry I should provide info about JBoss before here is my version:

              11:18:45,872 INFO [ServerImpl] JBoss (Microcontainer) [5.0.1.GA (build: SVNTag=JBoss_5_0_1_GA date=200902232048)] Started in 44s:525ms

              I just copy default server configuration and I am using:
              oracle-persistence-service.xml just and just change in DataSource. Please not I have not problem when I am working locally without bridging.

              and here is my security config:

              <!-- messaging application-policy definition -->
 <application-policy xmlns="urn:jboss:security-beans:1.0" name="messaging">
 <authentication>
 <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
 <module-option name="unauthenticatedIdentity">guest</module-option>
 <module-option name="dsJndiName">java:/FormMJMSDS</module-option>
 <module-option name="principalsQuery">SELECT PASSWD FROM JBM_USER WHERE USER_ID=?</module-option>
 <module-option name="rolesQuery">SELECT ROLE_ID, 'Roles' FROM JBM_ROLE WHERE USER_ID=?</module-option>
 </login-module>
 </authentication>
 </application-policy>

 <bean name="SecurityStore" class="org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStore">
 <!-- default security configuration -->
 <property name="defaultSecurityConfig">
 <![CDATA[
 <security>
 <role name="guest" read="true" write="true" create="true"/>
 </security>
 ]]>
 </property>
 <property name="suckerPassword">CHANGE ME!!</property>
 <property name="securityDomain">java:/jaas/messaging</property>
 <property name="securityManagement"><inject bean="JNDIBasedSecurityManagement"/></property>
 <!-- @JMX annotation to export the management view of this bean -->
 <annotation>@org.jboss.aop.microcontainer.aspects.jmx.JMX(name="jboss.messaging:service=SecurityStore",exposedInterface=org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStoreMBean.class)</annotation>
 </bean>



                • Actions
              • 4. Re: Problem with user authorization using JBM Bridge configu
                armsargis Apr 9, 2009 5:38 AM (in response to armsargis)

                In fact the same story with user, for instance I have 2 JBoss servers running on different servers:

                1) JBoss - 1,
                username = local, password local123
                queue = LocalQueue
                2) JBoss - 2,
                username = remote, password remote123
                queue = RemoteQueue

                Now I want when there is messages in LocalQueue forward it automatically to RemoteQueue. and for do it I need to create user: 'remote' in JBoss - 1. I think its not logical and can create problem with maintenance. If I change password in one side I should do it also in other side as well.

                  • Actions
                • 5. Re: Problem with user authorization using JBM Bridge configu
                  armsargis Apr 15, 2009 3:18 AM (in response to armsargis)

                  So no any response?

                    • Actions